In all seriousness the concept, especially from a security perspective, of an account expiry is sound. So why would you want an account to never expire? My guess would be for a service account or something of that nature or for testing purposes. But, since I'm just as curious as a cat, would you mind sharing?

Funny you should mention that, because when you were hired, we set your account to expire Nov 24th 2017.

Does anyone really set the accountExpires? It makes sense if you hire people on contract or if you have an employee who gives notice. But if you hire FTE's, at the beginning, surely you wouldn't set that field to anything other than Never expires.

I guess in Rhia's situation, it could be that you hired a contractor who had an end date for his contract, and midstream, they were converted to an FTE.

Well oddly enough, having a domain admin account and a workflow, I've remedied that situation.

Having spent some time in corporate IT (and infrastructure specifically) this is something that was very important to consider. Our temporary contract workers had 6 month expiration on their AD accounts.

But, less anyone's AD OU's fill up with tons of old accounts, expiration is a good policy to enable in group policy and the SAMexpirationdate could be updated for say another 12 months (or more) after a performance review, open enrollment, etc.

My client hires a LOT of consultants, so expiry dates are a requirement for them. And all of their FTE have no expiry date.

Right now, a process is that if the employee gives a resignation, the workflow will set their AD to expire the day after their departure. However, if they change their mind mid-leave, and decide to stay (oh, you'll give me a $60k raise? Sure, I'll stay!) we then need to clear that expiry.